Device Configuration
See also the technical counterpart to this section
The management and operational controls to support the capabilities to configure the IoT device according to the requirements established by the organization.
Policies and procedures establish the minimum requirements for IoT device configuration settings.
Policies and procedures detail the necessary management and operational controls to support configuration of the IoT device’s software, to ensure the configuration can be securely changed, and to ensure such changes can be performed only by authorized entities. Actions that may be necessary:
Manufacturer:
- Provide documentation detailing the minimum configuration settings available within the IoT device, and how to change those settings, to meet their customers’ needs and requirements.
- Provide a process by which customers can contact the manufacturer to ask questions or obtain help related to the minimum requirements for the IoT device configuration settings.
Agency:
- Establish the requirements for configuration settings to meet policies and procedures governing the associated IoT devices based upon their roles and functions within the associated systems.
- Assign roles and responsibilities for ensuring IoT devices are configured with the appropriate configuration settings before implementation within the system. For example, ensuring default passwords are changed before implementing the device into production.
Training is provided to workers covering the IoT device configuration requirements.
Policies and procedures establish the training necessary for individuals responsible for implementing the policies and procedures for the minimum required IoT device configuration settings. Actions that may be necessary:
Manufacturer:
- Provide documentation to the IoT device customers explaining how to configure the devices, and related actions to take with the devices.
- Provide training (e.g., in person, online webinar, video, etc.) to the IoT device customers to teach them how to configure the devices, and perform related actions.
Agency:
- Establish policies and procedures for providing training to the roles responsible for configuring IoT devices.
- Ensure the personnel responsible for configuring the IoT devices are provided with training covering how to appropriately configure the devices.